Saturday, December 19, 2015

(The Big Disrupt) IT: The Double Edged Sword That IS Being A CISO

In an age where IBM CEO
Virginia Rometty well-worn phrase that data is the natural resource of the 21st
century is looking less and less presumptuous, companies across the aboard are
investing an awful lot of money securing their data and their IT infrastructure
from attacks which should be good news for CISO’s who are solely in charge securing
both as the role has risen to prominence in light of large data breaches
however, this puts a lot of pressure on CISO’s to get things right when the
odds are firmly stacked against them.

Sure you might think CISO armed
with growing budgets, years of experience dealing with cyber-attacks and threats,
a rash of tools offered by security vendors, and a strong team behind them
would put in a great position to stave off the threat of hackers but CISO’s,
despite all these advantages are still at a disadvantage as they face an enemy that
outnumber them and are often as good or better at breaching security systems as
CISO’s are at protecting them. While attackers can get caught and prosecuted, the
cost barrier to entry is almost insultingly low given how much companies have to
spend to deal with a data breach. To give you an idea, TalkTalk’s data breach
in October will likely cost the company 30- 35 million while the attackers
would be breaking the bank if their efforts broke into the thousands[1].

A good chunk of that 30 million
will likely go to their CISO’s budget as the company stated that they will give
their CISO “carte blanche over security investments” which was likely to happen
anyway given the company’s managing director Charles Bligh revealed that they
were discussing spending more on security before the breach happened [2].
TalkTalk’s renewed commitment to security may reveal the company intention to
avoid being breached again but this new focus in various organizations across
many fields is leading to a strange occurrence of CISO’s budgets increasing
despite companies experiencing breaches.

While security is obviously
going to become a top priority for organizations after experiencing a breach,
it’s highly unlikely a costly failure in any other role in the C-suite would be
rewarded with an increased budget. You don’t have to be rocket scientist to
find out what would happen if a CMO burned a 30 million hole in his budget on a
marketing campaign that failed horribly or a CEO presided over sustained period
of no or low growth as both would be out of a job before long. However, Unlike
CEO’s or CMO’s, a CISO’s job is largely about planning for worst as opposed for
the best working to stop multiple threats which means they negotiate a higher
degree of risk of failure.

The high risk of failure seems
to be growing by the month as CISO’s experience their responsibilities expand
at a rapid rate with organizations embracing new technologies such as wearables,
mobile, and the internet of things which CISO’s have to secure. This should
prove good news for CISO’s as more responsibility means greater stature in the
organization but they also have contend with a notable increase in cyber-attacks
and a much talked about lack of talent
in the cybersecurity field which makes covering their growing remit that much
harder.

In sum, like a number in the
C-suite, CISO’s find themselves subject to a growing budget, greater responsibility
and yet overwhelmed by their role but whatever happens, expect CISO’s to be
prepared for it.